EUVD-2026-14588
GHSA-ch47-q2q6-jch2
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
OpenClaw before 2026.2.19 contains a local command injection vulnerability in Windows scheduled task script generation that allows attackers to execute arbitrary commands by injecting cmd metacharacters into unsafe gateway.cmd arguments. Attackers with control over service script generation values can inject unescaped metacharacters or expansion-sensitive characters to achieve unintended command execution in the scheduled task context.
Analysis
OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in the Windows scheduled task script generation component. Attackers with low-level local privileges and control over service script generation values can inject cmd metacharacters into the gateway.cmd arguments to execute arbitrary commands with high impact to confidentiality, integrity, and availability. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running OpenClaw and identify version numbers; assess which systems have local user access and run the vulnerable scheduler component. Within 7 days: Apply vendor patch 2026.2.19 or later to all affected instances, prioritizing production systems and those with high-risk data access. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today